What Will It Take To Get Ahead Of Our Vulnerabilities?
Kevin Poulsen
31

Humans Can Be Security’s Strongest Link

Security is no longer just the concern of the “internet garbage man” — it’s now part of everyone’s job

Mark Twain once said, “History does not repeat itself, but it rhymes.” Technology may be moving at a rate that is hard to comprehend, but the problems are fairly consistent. When I started my career in security as a “security officer,” my parents were concerned that I had spent all this money on a college education to drive a golf cart around a mall parking lot. One of my first jobs out of college was literally described as being the “internet garbage man.” The mentality was that security only happens after things blow up and we really don’t need to think about it until then.

This very common human attitude is still at the root of any security risk assessment today. In fact, as long as humans sit at the center of technology use and design, they will continue to be the weakest link either through bad decisions or apathy. For example, most sophisticated computer intrusions start with a spam message designed to get the recipient to click on a malicious link or attachments.

The good news is that humans can also be the strongest link in your security strategy, if you find a way to make security the responsibility of everyone.

At Box, we routinely tell our fellow Boxers that they are our most important security control. The key to security is not a sexy new kind of technology, it’s not machine or deep learning, and it certainly can’t be bought from a store. Of all the awesome technology we’ve deployed to catch bad things before they happen, our employees continue to have the highest rates of detection when it comes to sophisticated attacks. That’s why every chance I get I thank my co-workers for helping me get my job done.

Joel De La Garza, Chief Security Officer / Box

And it’s not just about being vigilant against outside threats. People who feel like they are responsible for owning security start to build security into their work, before it’s ever out in the world. Our developers constantly reach out to our security team to have us vet new solutions to security problems we had yet to consider. As a result, security is part of every line of code we release and every single product we ship.

The key to security is getting every person to care about it, to set a shared value that we must “protect our house” both at home and in the office. Like all values, it can’t be a hollow slogan that lives only on the walls. Therefore, it has to be constantly reinforced at the highest levels of every company and our public officials. Two days ago I was ecstatic to see President Obama had written an op-ed in the Wall Street Journal about his plan for protecting innovation from cyber threats. To see this level of engagement from the President of the United States represents a profound shift in the way our political leaders are viewing security, and it will only pay dividends. Similarly, public discussions like this go a very long way towards promoting awareness, which will eventually drives both change and accountability. People are the best and worst part of your security operation, and sunlight is the best disinfectant.

The Future of Security Roundtable is a Google-sponsored initiative that brings together thought leaders to discuss how we can best protect ourselves from the data breaches and security risks of tomorrow. Panelists are not affiliated with Google, and their opinions are their own. Read the post that kicked off the roundtable here and feel free to join in the conversation.